hi list! can anybody explain me what strange beast is supposed to live on port 1433? i can't find it in any of several different services files on different systems... but yet my firewall blocks many connections to this port per day from various ips... is it some strange new (or for that mater old) exploit? just being curious... anyway have a nice day marko I'm a .signature virus. Copy me to help me spread.
On Aug 26, Marko Preslenkov <marko@jabolko.si> wrote:
can anybody explain me what strange beast is supposed to live on port 1433? A quick search on google reveals the following: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_SQLSPIDA.... It is MS SQL server, infected with a worm.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
On Sunday 25 August 2002 10:22 pm, Marko Preslenkov wrote:
hi list!
can anybody explain me what strange beast is supposed to live on port 1433? i can't find it in any of several different services files on different systems... but yet my firewall blocks many connections to this port per day from various ips... is it some strange new (or for that mater old) exploit? just being curious...
Microsoft sql server. Its another microsoft bug. Its about a or two month old. _________________________________________________ No I Don't Yahoo! And I'm getting pretty sick of being asked if I do. _________________________________________________ John Andersen / Juneau Alaska
Hi, please see http://seifried.org/security/ports/1000/1433.html for further details... Greetz Christoph 26.8.2002 08:22:03, Marko Preslenkov <marko@jabolko.si> wrote:
hi list!
can anybody explain me what strange beast is supposed to live on port 1433? i can't find it in any of several different services files on different systems... but yet my firewall blocks many connections to this port per day from various ips... is it some strange new (or for that mater old) exploit? just being curious... -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
On Mon, 26 Aug 2002 08:22:03 +0200 Marko Preslenkov <marko@jabolko.si> wrote:
can anybody explain me what strange beast is supposed to live on port 1433? i can't find it in any of several different services files on different systems... but yet my firewall blocks many connections to this port per day from various ips... is it some strange new (or for that mater old) exploit? just being curious...
It's SQLSnake and it's trying to find a unguarded MS SQL Server on your system. If you don't have a SQL Server you can relax. If you do, make sure it's patched... -- Anders Jarnberg in Stockholm, Sweden Running SuSE 8.0, KDE, Sylpheed and listening to Massinova with xmms
thanks for your help guys! I'm a .signature virus. Copy me to help me spread.
Hi All, I have just installed 7.3 for sparc and would like to ask about iptables. Say I have only two services running, SSH and HTTP and I configure my iptables like such: <do the relevant flushing and chain creation> iptables -A http-ac -p TCP -s 172.16.0.0/0 -d $myhost --dport 80 -j ACCEPT iptables -A http-ac -p TCP -s 0/0 -d $myhost --dport 80 -j REJECT Basically I am accepting anything from class B and denying the rest. iptables -A ssh-ac -p TCP -s 172.16.0.0/0 -d $myhost --dport -j ACCEPT iptables -A ssh-ac -p TCP -s 0/0 -d $myhost --dport 22 -j REJECT If I do an NMAP I get Port State Service 22/tcp open ssh 80/tcp open http Now what I want to ask is, is my firewall safe? Meaning, There are thousands of ports "available" but not listening and all I am doing is rejecting and allowing on those that are listening and "ignoring" the rest. If I open an x-window I notice that port 6000 becomes visible. Does this then mean that while ports are being opened by other applications I am at risk? But if the above two services are all that run, then I should be fine right? If I add one line to my firewall such as iptables -A INPUT -j REJECT then if someone were to install something on the maching on port 8989 for instance or if my x windows was running, it would help right? The reason why I am asking, is because I have tried adding the top two rules plus the "reject everything else" rule and I notice problems in sending mail from cron jobs, dns entries to port 53 denied (in the logs), etc. What UDP ports should I be blocking? Is there a list out there somewhere? And last Q, the protocols that iptables allows are ONLY icmp, udp and tcp - am I right in understanding this from all the docs I read? Thanks for the help!! Rgds Terence
On Tuesday 27 August 2002 03:18, Terence wrote:
Hi All,
I have just installed 7.3 for sparc and would like to ask about iptables.
Say I have only two services running, SSH and HTTP and I configure my iptables like such:
<do the relevant flushing and chain creation> Please see my comments below. They are not meant to be complete, for a detailed description of iptables you could consult the fine man page or some tutorial on the net. You could also use a (IMHO) good tool like fwbuilder (www.fwbuilder.org) to create some rules and look at the resulting script. Also, I have written down the rules from memory, so they could lack some switches. Anyway, here it goes: I would recommend setting the default policy to: iptables -P OUTPUT DROP iptables -P INPUT DROP This way only packets you explicitly allow are let through.
iptables -P FORWARD DROP (forward rules only if you're actually routing something, I will omit these rules in my examples below) And then selectively allow only those services you need. iptables has a powerfull feature called "connection tracking", which allows to consider the "state" of a connection, i.e. it can distinguish between incoming and outgoing connections.
iptables -A http-ac -p TCP -s 172.16.0.0/0 -d $myhost --dport 80 -j ACCEPT with state the rule could look like so: iptables -A INPUT -p tcp -s 172.16.0.0/0 -d $myhost --destination-port 80 -m state --state NEW -j ACCEPT
iptables -A http-ac -p TCP -s 0/0 -d $myhost --dport 80 -j REJECT
Basically I am accepting anything from class B and denying the rest.
iptables -A ssh-ac -p TCP -s 172.16.0.0/0 -d $myhost --dport -j ACCEPT with state the rule could look like so: iptables -A INPUT -p tcp -s 172.16.0.0/0 -d $myhost --destination-port 20 -m state --state NEW -j ACCEPT
iptables -A ssh-ac -p TCP -s 0/0 -d $myhost --dport 22 -j REJECT
The following rules allow for already established connections (the establishing of which is controlled by the rules above) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
From this point on everything is logged and then dropped: iptables -A INPUT -j LOG --log-prefix "INPUT DROP " iptables -A INPUT -j DROP iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP " iptables -A OUTPUT -j DROP
This allows for checking if some packets that should go through are blocked.
If I do an NMAP I get
Port State Service 22/tcp open ssh 80/tcp open http
Now what I want to ask is, is my firewall safe? Meaning, There are thousands of ports "available" but not listening and all I am doing is rejecting and allowing on those that are listening and "ignoring" the rest. If I open an x-window I notice that port 6000 becomes visible. Does this then mean that while ports are being opened by other applications I am at risk? But if the above two services are all that run, then I should be fine right?
I think it is a good idea to tighten the firewall so that regardless of a user program or a service launched by accident only those connections which are explicitly allowed in the rules are possible.
If I add one line to my firewall such as
iptables -A INPUT -j REJECT
then if someone were to install something on the maching on port 8989 for instance or if my x windows was running, it would help right? The reason why I am asking, is because I have tried adding the top two rules plus the "reject everything else" rule and I notice problems in sending mail from cron jobs, dns entries to port 53 denied (in the logs), etc.
Here you could look into the log and put more rules in your firewall config to allow outgoing connections like so: iptables -A OUTPUT -p udp -d <your_nameserver> --destination-port 53 -m state --state NEW -j ACCEPT
What UDP ports should I be blocking? Is there a list out there somewhere?
And last Q, the protocols that iptables allows are ONLY icmp, udp and tcp - am I right in understanding this from all the docs I read? iptables has some extensions for those protocols, but you can also filter on other
I would personally rather block everything and then allow some. It is more work, and you have to adjust your firewall as you add more services, but IMHO it is more secure. protocols, if you put them in as numeric values like iptables -A INPUT -p 50 -j ACCEPT If you omit -p, the rule applies to all IP protocols. A last note: When not allowing a connection, you can decide between -j REJECT and -j DROP, where in the first case a reply packet is generated, and in the second there is no reply from the firewall. Both methods have their pro and cons.
Thanks for the help!!
Rgds Terence
Andreas ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
participants (7)
-
Anders Jarnberg
-
Andreas Baetz
-
Christoph Wegener
-
John Andersen
-
Marko Preslenkov
-
Markus Gaugusch
-
Terence